Home page logo
/

metasploit logo Metasploit mailing list archives

Re: shellcodeexec to bypass AV ?
From: John B <johnb.electric () gmail com>
Date: Fri, 15 Apr 2011 09:35:35 -0400

I haven't investigated this script yet but more than likely on the windows
side I'm sure it just does:

Kernel32.dll -
OpenProcess -> VirtualAllocEx -> WriteProcessMemory -> CreateRemoteThread ->
pwned!!

I used to do kind of the same thing by making my own payloads that just
displayed a message box and injected the shellcode.
It may pass standard signature based virus scanners but most heuristic
engines can spot the above API calls. This is only usefull if you already
have access and can run this command. If yur doing an email or web campain
you'll need to do something custom if you really want to bypass virus
scanners.

Most if not all of the metasploit payloads are detected with the basic
template, and now with the custom template option virus scanners can spot
the change in oep and extra text section in the pe.

Your best bet is to program your own. Check out the book: Grey Hat Python it
has a great example of shellcode injection in python that is very easy to
follow.

John
On Thu, Apr 14, 2011 at 4:15 PM, Houcem HACHICHA
<houcem.hachicha () gmail com>wrote:


Hi, have you guys heard about *shellcodeexec* script?


http://www.pentestit.com/2011/04/14/shellcodeexec-execute-metasploit-payloads-memory-bypass-antivirus-protection/?utm_source=twitterfeed&utm_medium=twitter&utm_campaign=Feed%3A+PenTestIT+%28PenTestIT%29&utm_content=Twitter

The author claims that the script makes Meterpreter bypass AV (better than
Msfencode).

If this is true, can this be implemented in MSF ?

--
*Regads,
Houcem*





_______________________________________________
https://mail.metasploit.com/mailman/listinfo/framework


_______________________________________________
https://mail.metasploit.com/mailman/listinfo/framework

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
AlienVault